How to authenticate to PasswordServer (apple-sasl protocol)?

Does anyone have any experience or pointers to documentation or code for authenticating a network user stored in OD by connecting to PasswordServer on port 3659 (apple-sasl)?

To handle cases where Kerberos is not an option, we're trying to do NTLMv2 authentication for users whose accounts are in OD (OSX Server for 10.10.*).

PasswordServer authentication is described in https://developer.apple.com/library/prerelease/mac/documentation/Networking/Conc eptual/Open_Directory/OpenDir.pdf (page 13).

We'd like to be able to use the same approach for both OSX and Linux so we'd prefer to connect to PasswordServer over TCP instead of invoking setCredentialsWithRecordType on an ODNode. And FWIW, the specific authentication methods don't seem to be documented either. It appears that the SMB-NTLMv2 authentication method does what we want if we can figure out how to use it.

From Wireshark traces we can see that when one OSX 10.10 authenticates CIFS access using NTLMv2 for a network user in a separate OD server, it contacts PasswordServer, grabs the public RSA key and then sends an encrypted "RSAVALIDATE" request. That's probably a form of digest validation, but it sure would be helpful to find documentation or code that knows how to talk to PasswordServer and make use of RSAVALIDATE.

Alternative approaches welcome, but given that existing OSX systems talk to apple-sasl and Apple went to the trouble of registering port 3659 with IANA, it seems likely to be a relatively stable interface.

Finally, any clues on the genesis of PasswordServer? Is it derived from or Cyrus SASL authd or anything else that might be close to being able to talk to it?